Phisher phobia has gripped IT users and administrators, thanks to some highly publicized phishing successes -- and some users and admins should be more worried than others. But phishers can be beaten, says Lance James, author of the new book, Phishing Exposed, published by Syngress Publishing. James is the chief technology officer for Secure Science Corp., in San Diego, Calif.
James describes ways phishers attack Linux and Windows platforms and which platform is more vulnerable. Plus, he warns about new threats coming in 2006 in part one of this two-part Q&A. In part two, he discusses the ways anti-phishing security has failed as well as the merits of various defenses.
What new security issues do you see arising in 2006 for Linux and Windows?
James: Well, mostly remote attacks will be the mainstay against Linux, including Linux server attacks, such as Apache, cPanel, SMTP attacks.
Phishers have a use for Linux, but it's for the distribution of their attacks. So, we'll see Linux servers consistently being broken into by phishers, using them to either send spam or to launch their phishing attacks.
With Windows, [expect] continued ActiveX exploits and client-side attacks. Internet Explorer bugs will be the attack point for home users. Home users are purchasing home firewalls, but phishers break that defense because they deliver their attacks at the presentation layer: e-mail and Web.
In which areas is Windows security more vulnerable than Linux?
James: The user access issue: By default most Windows users are logged in with administrator privileges. In Linux, this is the number one rule not to do and, by default, they create a user account and log in with fewer privileges. This admin role in Windows [allows] phishers to do less work to attack a Windows machine and spread malicious code to your computer.
The advantage of Linux is not just security, but it's also the user-base awareness. The users of Windows are for everyone, whereas Linux has a certain audience that tends to be more technical. That level of technical ability, by default, changes the threat model for Linux compared to Windows due to the fact that most Linux users know what phishing is. The victim of phishing usually has never heard the word.
What about security at the browser level?
James: It's not a war about who's more secure, [Mozilla]; Firefox or IE; but in Linux you have multiple browsers to choose from, and in Windows the default is IE, which holds the majority of consumer base. So, while Firefox may be having some vulnerability, it's targeted less by phishers since they want the IE user. Phishers tend to target the "default" user (i.e., the default installation of a machine -- plenty of them going around).
Historically, IE is a bigger target for multiple reasons: It's a black box, thus researchers get curious; and it's used by the Windows user base -- a significant number of Internet [users]. Thus, it gets targeted more by researchers and black hats. It's Microsoft, and Microsoft has enemies.
Firefox has had some nasty vulnerabilities in the past, including 2005, but they [the developers] are quick to react and very open about the vulnerabilities found. This openness enables more of a gentle approach for dealing with these vulnerabilities, and it's pretty efficient. Opera doesn't have a strong user base, it will be examined less for bugs, and this could be bad for Opera if it were to get popular.
What is the difference in methodology between attacks on Linux and Windows?
James: Windows is one distribution. That makes it a single point of failure. If a virus author writes a virus for Linux, the propagation will be low, due to the fact that all the different distributions for Linux are configured differently. In a way, even though it's the same operating system, its heterogeneous configuration and services makes it a bit more difficult to just write one program and infect a bunch of Linux machines.
Let me give an example: With Windows, most virus attacks are typical, found in e-mail, on the Web or using a remote attack like rpcdcom (remote procedure call, distributed component object model or IIS [Microsoft Internet Information Server]. How many other Web servers have you seen being used in Windows? IIS seems to be the main one.
When people see [a Web server on] Linux, it's Apache in versions 1.3.31, 1.3.33, 2.0.xx or others. So, the virus attacker will have to scan the Internet looking for the right Apache version to exploit. Also, that's a server, thus it affects systems differently. Then, the virus has to figure out how to get root as well.
Usually, when IIS is run, it is system access by default, and you can count on it. You pop IIS, and you have root, and the configuration is almost guaranteed to be the same for all the boxes you run into. With Apache, the user is nobody, and getting root on each different distribution will be difficult, as you will have to identify the situation.
It is essentially a homogeneous versus heterogeneous concept between the threat models for attacking these systems. The exploits may be similar, but the reason, the method and the steps to attack it are different.
This doesn't mean that a PHP virus won't hit all Linux systems, but the chances of popping root on every single box are lower. In short, the return on investment is different since the demographical data is different for each platform.
In your book, you write that Microsoft has taken the stance that stopping phishing is the user's, not the browser's, responsibility, and that user education is the answer. What do you make of this stance?
James: I don't agree with it, because there are many responsibilities. The computer user is just that, the user. They are not experts. They know how to use their computers in the way that Windows or Macs train them to use it.
I'm not against education, but that's one step in a very large process. You don't go to battle with just one weapon. There is vendor responsibility; misplaced trust breaks all the education in the world.
I'm not trying to bash Microsoft with that statement. Microsoft believes it has a solution. VeriSign [Inc.]; believes it has a solution. The crypto groups at CAcert believe toolbars are the answers, and companies that sell virtual keyboards believe they have the answer.
The truth is education, toolbars and consumer contact doesn't work. The people that will be getting victimized are the ones that you never reached, and the fight to educate against phishing is a losing battle. Phishers move faster. By the time we tell them what it is, they've owned us.